Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
907
Views
0
Helpful
2
Replies

TACACS+ Configuration Network Devices asking for Enable password

Go to solution
joseluis
Level 1
Level 1

‎08-28-2018 07:54 PM - edited ‎03-11-2019 01:48 AM

Hi Cisco Community,

 

I'm new on configuring tacacs, hope you can help me.

 

I have a issue, every time I log in using my TACACS+ account it still ask me for the enable password

 

based on the config below, what is the command here that still asks me for the enable password? or should I delete the enable password itself to bypass that? 

 

my goal is:

1. whenever I logged in my credentials using my tacacs+ account, i can proceed already to priv mode and the device should not ask for the enable password.

2. are all the config here are necessary? if no, can you help me identify what are the unnecessary commands to achieve goal 1?

 

CONFIG:

aaa new-model
aaa group server tacacs+ default
server 172.x.x.x
!
aaa group server tacacs+ ciscosecure
server 172.x.x.x.x
!
aaa authentication login default group tacacs+ line
aaa authentication login console line none
aaa authorization config-commands
aaa authorization commands 0 default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
aaa session-id common

 

 

tacacs-server host 172.x.x.x
tacacs-server directed-request
tacacs-server key 7 030A0B090A1A2F481D1B
radius-server source-ports 1645-1646

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-28-2018 11:40 PM

Add below line.

 

aaa authorization exec default group tacacs+ local if-authenticated

“if-authenticated” keyword at the end of this line, if authenticated we will immediately be dropped into exec (enable) mode.

 

Make sure you do this using test device always with console access, if you lockout yourself you have console access to fix.

 

Test and Advise.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
2 Replies 2

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-28-2018 11:40 PM

Add below line.

 

aaa authorization exec default group tacacs+ local if-authenticated

“if-authenticated” keyword at the end of this line, if authenticated we will immediately be dropped into exec (enable) mode.

 

Make sure you do this using test device always with console access, if you lockout yourself you have console access to fix.

 

Test and Advise.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎09-01-2018 07:53 PM

Also check out several T+ resources @ http://cs.co/ise-guides

The login user needs a default privilege set to its enable level for this to work, besides the configuration line provided.

0 Helpful
Customers Also Viewed These Support Documents